OAuth Tokens - Geek Feed

Device code phishing attacks surge 37x as new kits spread online

April 7, 2026April 7, 2026 geekfeed0Tagged Access Token, EvilTokens, Kit, OAuth, OAuth Tokens, phishing, Phishing-as-a-Service

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. Next, the […]

4 mins read

Hackers target Microsoft Entra accounts in device code vishing attacks

February 22, 2026February 22, 2026 geekfeed0Tagged Account takeover, Authentication Bypass, bypass, MFA, Microsoft 365, OAuth, OAuth Tokens, phishing

Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the […]

5 mins read

New ConsentFix attack hijacks Microsoft accounts via Azure CLI

December 13, 2025December 13, 2025 geekfeed0Tagged Account takeover, Azure CLI, ClickFix, Microsoft Account, OAuth, OAuth Tokens, phishing, Token

A new variation of the ClickFix attack dubbed ‘ConsentFix’ abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. A ClickFix attack is a social engineering technique that attempts to trick users into running commands on their computer to install malware or steal data. […]

3 mins read

New CoPhish attack steals OAuth tokens via Copilot Studio agents

October 28, 2025October 28, 2025 geekfeed0Tagged ai, Artificial Intelligence, Copilot, Copilot Studio, Microsoft Copilot Studio, Microsoft Entra, OAuth, OAuth Tokens, phishing

A new phishing technique dubbed ‘CoPhish’ weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. The technique was developed by researchers at Datadog Security Labs, who warned in a report earlier this week that Copilot Studio’s flexibility introduces new, undocumented phishing risks. Although CoPhish relies on social […]

5 mins read

FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data

September 17, 2025September 17, 2025 geekfeed0Tagged Data Theft, OAuth Tokens, Salesforce, Salesloft, Salesloft Drift, Scattered Spider, ShinyHunters

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims. “The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 […]

4 mins read

Google warns Salesloft breach impacted some Workspace accounts

September 1, 2025September 1, 2025 geekfeed0Tagged google, Google Workspace, OAuth, OAuth Tokens, Salesforce, Salesloft, Salesloft Drift

Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances. “Based on new information identified by GTIG, the scope of this compromise is not exclusive to […]

2 mins read